The question a lot of people were asking was: What about stable (or Wheezy). After way too much time due to other pressing issues, I have just uploaded the patched WordPress debian package for stable. The fixed version has the catchy number of 3.6.1~deb7u5. This package has all of the relevant patches that went in from WordPress 3.7.4 to 3.7.5 and there are even CVE IDs for this package (and 4.0.1 which all this stems from).
I was recently updating some code that uses fping. Initially it used exec() that was redirected to a temporary file but I changed it to use popen. While it had been a while since I’ve done this sort of thing, I do recall there was an issue with running popen on setuid binary. A later found it is mainly around setuid scripts which are very problematic and there are good reasons why you don’t do this.
Anyhow, the program worked fine which surprised me. Was fping setuid root to get the raw socket?
$ ls -l /usr/bin/fping -rwxr-xr-x 1 root root 31464 May 6 21:42 /usr/bin/fping
It wasn’t which at first all I thought “ok, so that’s why popen is happy”. The way that fping and other programs work is they bind to a raw socket. This socket sits below the normal type sockets such as the ones used for TCP and UDP and normal users cannot use them by default. So how did fping work it’s magic and get access to this socket? It used Capabilities.
Previously getting privileged features had a big problem; it was an all or nothing thing. You want access to a raw socket? Sure, be setuid but that means you also could, for example, read any file on the system or set passwords. Capabilites provide a way of giving programs some better level of access, but not a blank cheque.
The tool getcap is the way of determining what capabilities are found on a file. These capabilities are attributes on the file which, when the file is run, turn into capabilities or extra permissions. fping has the capability cap_net_raw+ep applied to it. This gives access to the RAW and PACKET sockets which is what fping needs. The +ep after the capability name means it is an Effective and Permitted capability, which describes what happens with child processes and dropping privileges.
I hadn’t seen these Capabilities before. They are a nice way to give your programs the access they need, but limiting the risk of something going wrong and having a rouge program running as root.
- Lesser-known tool of the day: getcap, setcap and file capabilities (insecure.ws)
- Using File Capabilities Instead Of Setuid (wiki.archlinux.org)
- Safer suexec: from setuid to Linux capabilities (welldefinedbehaviour.wordpress.com)
- Kees Cook: easy example of filesystem capabilities (outflux.net)
The Debian package of WordPress version 3.9.1 was uploaded to the ftp master recently. While the update was pretty simple, the upload took a lot more doing. I’m not sure why the Debian ftp-master server didn’t like me, but it was so slow. Strangely, even dcut uploads were slow and they are only a few lines of text.
Apologies for the delay too, I’m not sure why I didn’t notice the update from 3.9 to 3.9.1 but there you go.
The other change is that the package uses the system CA certificates rather than the ones pre-shipped with wordpress. This is done so that if the administrator makes decisions on what certificates to trust, then the wordpress client http libraries will follow that decision.
Yesterday I mentioned that wordpress had an important security update to 3.8.2 The particular security bugs also impact the stable Debian version of wordpress, so those patches have been backported. I’ve uploaded the changes to the security team so hopefully there will new package soon.
The version you are looking for will be 3.6.1+dfsg-1~deb7u2 and will be on the Debian security mirrors.
Today as it was raining and I couldn’t do much gardening, psmisc version 22.21 was released. The files are located up on sourceforge at https://sourceforge.net/projects/psmisc/files/latest/download or at your favorite distro repository soon. Once again, thanks to all patch submitters, bug reports and translators for all their help in getting this out. Apologies to the translation teams for having two alpha versions.
So what does psmisc 22.21 bring you? Amongst a lot of minor bug fixes it has:
- If you started a process and then spawned some threads and then decided to change the names of the threads, pstree would show the “old” name, it now shows the correct new name
- pstree has a new flag (-N) for namespace support, thanks Aristeu for the patches
- Previously fuser -M flag only worked if it was before -m, now it can be either order
The Debian psmisc package should be out in the next few hours.
Well if you can read this then you know it’s working. After way too many weeks, Debian will have WordPress version 3.8. Thanks to Raphaël for his kind assistance and answering my questions about how it was built. The upload is still gurgling along and will make it there in its own time. He said Handing over packages is hard, I’d agree but say taking over them is too.
So, what does WordPress 3.8 look like? From the “frontend” I didn’t really notice much. The big changes, at least cosmetically, seem to be for the admin backend. It just look slicker and cleaner.
Hopefully Debian users find the update useful and I’ve not broken anything. There’s always the BTS if there is. I’ve deliberately tried to minimise the changes for this version to limit the breakage.
I really don’t know why ethernet device makers insist on making it hard for to use their products. Ethernet has been around for many, many years; surely its not too much to ask for drivers that “just work”.
And so that’s the problem I currently have with my new computer. It has an onboard Ethernet interface which uses a Realtek chip and that’s where the problems have been (with the exception of a power button that wriggled free, but that is also easy to fix).
The device comes up as:
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 06)
- The R8169 driver that comes with most of the Debian kernels
- r8168-dkms driver
- The 8168 driver from the realtek site
and all of them don’t work. It seems that the receive side works fine (I sometimes get a valid IPv6 address) but no packets are sent, even ifconfig eth0 shows zero transmitted packets.
ethtool shows some of the setup, this is with the r8168 driver:
driver: r8168 version: 8.037.00-NAPI firmware-version: bus-info: 0000:03:00.0 supports-statistics: yes supports-test: no supports-eeprom-access: no supports-register-dump: yes supports-priv-flags: no
Interestingly, if I use the r8169 driver in the kernel and try ifup etho then I do get an entry in the firmware-version spot.
dmesg also shows that it finds the device.
[ 0.916487] r8168 Gigabit Ethernet driver 8.037.00-NAPI loaded [ 0.916667] r8168 0000:03:00.0: irq 72 for MSI/MSI-X [ 0.939129] r8168: This product is covered by one or more of the following patents: US6,570,884, US6,115,776, and US6,327,625. [ 0.939136] r8168 Copyright (C) 2013 Realtek NIC software team <[email protected]> [ 10.807066] r8168: eth0: link up
So it all looks good, except it won’t send any packets. Anyone got one of these devices and if so (and more importantly) how did you get it to work?
There are plans to move all utilities that use the proc filesystem under one package which will make the maintenance of them simpler, which in effect means moving pidof from sysvinit-tools to procps. The short-term bump should make it better in the long term.
Now as I wear two hats (Debian maintainer and procps upstream) there are two very important things I/we need to know.
- If your Debian package depends on pidof being present, then we need to discuss dependencies. procps is generally installed on most systems but there might be corner cases. Possibly just depending on a specific version of procps will do it
- If you, your Debian package or anything else (including other distributions) need the non-LSB options of pidof (ie they use -c -n or -m) then we (upstream) need to know about it. There are provisional plans not to support these options but they’re needed, or a subset is, then that could change.
top comes with NUMA support which is a soft dependency, meaning that if compilied with the support, top will try to link at runtime to libnuma. The new key presses are ‘2’ and ‘3’ which will show the Nodes or more detail about a specific node respectively.
ps has two new output columns; unit and uunit. These permit ps to display the systemd unit and user unit fields. The systemd support is a
hard dependency which is enabled with –with-systemd
procps-ng is available from gitorious or sourceforge:
procps-ng version 3.3.7 was released today. It has some new and interesting features in the top program that Jim has been busy working on. There is a new filter feature which can exclude fields that match a value for example. The remainder of the changes are small bug fixes and getting the compile warnings count down with -Wall enabled. The library revision was updated but this did not involve an API or ABI change.
procps-ng can be downloaded off the sourceforge page which has the current and previous releases stored there. Alternatively you can visit our gitorious page if git fetch is more your thing. Debian packages will be going into experimental until the freeze is over and we get things unblocked.